Re: [ossec-list] Duplicate rule error

Thu, 05 Apr 2018 08:05:03 -0700 

Here's the rule from the error:

<group name="syslog,access_control,">
  <rule id="2501" level="0">
    <match> esm</match>
    <group>authentication_failed,</group>
    <description>User authentication failure.</description>
  </rule>
</group>

If I comment it out, it just says the next rule is a duplicate, and so on 
and so on.  None are overwrite rules.

On Thursday, April 5, 2018 at 4:04:56 AM UTC-6, dan (ddpbsd) wrote:
>
>
>
> On Wed, Apr 4, 2018, 8:56 PM Cooper <[email protected] <javascript:>> 
> wrote:
>
>> Sorry Dan, I'm horribly new to managing ossec (yesterday).  How would I 
>> know that?
>>
>
> Look for 'overwrite="yes"' in the rule.
>
>
>
>> On Wednesday, April 4, 2018 at 6:54:14 PM UTC-6, dan (ddpbsd) wrote:
>>>
>>>
>>>
>>> On Wed, Apr 4, 2018, 8:50 PM Cooper <[email protected]> wrote:
>>>
>>>> When trying to start our new 2.9.3 ossec server, i receive the 
>>>> following error:
>>>>
>>>> 2018/04/04 19:45:39 ossec-analysisd: Duplicate rule ID:2501
>>>> 2018/04/04 19:45:39 ossec-testrule(1220): ERROR: Error loading the 
>>>> rules: 'local_rules.xml'.
>>>>
>>>> However, inside local_rules, there's only one rule with an ID of 2501.  
>>>> If I comment out that rule, it just says that the next rule is a 
>>>> duplicate.  These rules are being migrated from a working 2.7.2 install.  
>>>> Anyone run into this before?
>>>>
>>>
>>>
>>> Are these overwrite rules?
>>>
>>> -- 
>>>>
>>>> --- 
>>>> You received this message because you are subscribed to the Google 
>>>> Groups "ossec-list" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send 
>>>> an email to [email protected].
>>>> For more options, visit https://groups.google.com/d/optout.
>>>>
>>> -- 
>>
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to [email protected] <javascript:>.
>> For more options, visit https://groups.google.com/d/optout.
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to